Open wshelley opened 1 year ago
GeoNetwork doesn't use any function from Apache commons-text
directly in its source code. It's included in GN because it is a dependency of Geotools.
According with this PR (https://github.com/geotools/geotools/pull/4048) in the Geotools project versions of Geotools using common-text
< 1.10.0
aren't affected because it only uses WordUtils.abbreviate(...)
and WordUtils.capitalizeFully()
, methods that don't do string interpolation.
In summary: GN is not affected by CVE-2022-42889 even when it includes a vulnerable commons-text
version (1.6
).
Thank you @juanluisrp that answers my question and will provide the reassurance to our team 👍
@juanluisrp
FYI
Due to this issue, Docker hub is flagging the image as vulnerable.
Is it possible to exclude the jar/dependency if it is not used?
No, Geotools doesn't use the vulnerable string interpolation but it still uses Common Text library. The way to fix this is to update our Geotools dependency with a version that doesn't rely in the vulnerable version of commons-text.
To follow @juanluisrp direction the version of geotools to use on the 3.12 branch should be 26.x or newer.
Since this is raising flags from vulnerability scans.
Is there any guidance on the impact of CVE-2022-42889 (Text4Shell) in GeoNetwork?
It sounds like its much more difficult to exploit than the likes of Log4Shell issue earlier in the year. But would be useful to get confirmation that GeoNetwork is not affected.
Trivy is currently showing that the latest GeoNetwork version (3.12.7 or 4.2.1) has the vulnerable library: